juanjo tugores - Fotolia


Use Android Enterprise to lock down mobile devices

IT can integrate Android controls with EMM tools via APIs from Google's Android Enterprise program. These EMM capabilities can help IT manage updates and secure devices.

Mobile device admins can integrate Google Android support into their enterprise mobility management tools with Android Enterprise APIs, which can provide IT with more configurations and features to manage mobile devices.

These APIs provide a range of management functions, many of which improve end-user security or the mobile user experience. IT can secure data and configure on-device browsers and applications with Android Enterprise, but some of these management functions only work under certain conditions.

The Android Enterprise APIs enable admins to perform tasks such as delaying updates and deploying private applications for Android OS in an enterprise mobility management (EMM) tool.

Managing updates with Android Enterprise

Managing Android updates used to be a struggle, but admins now have full control over when and how to deploy updates. IT pros can define OS updates to run immediately or during set hours.

If a major Android OS upgrade is on the way and an organization needs more time to test internal applications, IT can postpone updates up to 30 days for devices running Android 8.0 and below, or up to 90 days for devices running Android 9.0 and later. Google, however, requires a 60-day cooling period after a 90-day period of postponing updates. This mandatory period overrides any further delays to ensure that IT can't postpone updates indefinitely.

IT should force apps to update as soon as possible because old versions may have bugs, vulnerabilities or other issues.

For other update scenarios, IT only needs to determine whether or not to push updates as soon as they're available. IT can push updates out immediately to devices that run dual partitions; the changes will appear on the updated partitions after the next normal reboot of the device.

Running updates on a set schedule would benefit devices running a single partition, which reboot immediately after an update. IT should choose a time to run these updates when users likely won't be on their devices; late at night and early in the morning are generally the best options.

IT has similar options for application updates. For applications, however, IT has the benefit of defining when updates may happen: over a mobile data connection or only on Wi-Fi.

IT should ideally look to require apps to update as soon as possible because old versions may have bugs, vulnerabilities or other issues. At the same time, frequently updating applications over a cellular network can ramp up costs in some cases. The Wi-Fi-only option prevents that.

Advanced data loss prevention features

Unlike fully managed devices, Android devices with a work profile store corporate data in an isolated, encrypted on the disk with applications running in a separate profile.

Data loss prevention determines what data can move back and forth from the work profile. IT can implement the following commands:

  • prevent copy and paste between work and personal profiles;
  • redact lock screen notifications;
  • deny screenshots for work profile applications;
  • deny access to work documents from personal apps; and
  • deny sharing work documents with personal apps.

There are more capabilities, but these specific restrictions aim to prevent users from sharing work profile data. Redacted notifications ensure that users can only see work notifications once the device is unlocked, which prevents the device from displaying potentially sensitive information on an otherwise locked device.

Other management capabilities

Google Chrome browser management is one of the most impressive examples of Android Enterprise managed configurations. Android admins can set manual whitelists and blacklists and configure the Chrome proxy server. IT pros can run a blacklist if they want to ensure that users avoid a set list of sites. Whitelisting allows IT to set a list of acceptable sites for users to visit, and all other sites are blocked.

Android Enterprise features go beyond security, however. Google recently added the ability to manage in-house and web applications from the Google Play iframe, an application management console. This console requires support from the EMM tool, but if IT pros use Google Play iframe, they can take advantage of two very useful capabilities.

Web apps. Android Enterprise has not supported web shortcuts -- a handy feature for admins pushing intranet sites or useful corporate resources to devices -- since its inception. Web shortcuts are the equivalent of bookmarks that live on the home screen of devices. With the new Android Enterprise feature, however, IT can create and deploy web applications -- apps that run within a browser -- as if they were normal Google Play Store applications.

Private internal apps. IT can upload any private applications -- internal applications that aren't available in the app store -- to Google Play before deploying them. Previously, this process was lengthy and included a one-time fee of $25 for the upload of a private application.

With Android Enterprise's new private app upload, deploying these applications only takes minutes and no longer requires the one-time developer fee. Apps published with this method are automatically restricted to the Android Enterprise organization ID associated with the organization's Android Enterprise account. IT can deploy apps almost immediately after the upload.

Part one of this series identified helpful features for reducing data leakage and improving authentication on Android devices.

Dig Deeper on Mobile operating systems and devices

Unified Communications